As companies depend more on technology to conduct business, they are also increasingly subject to technology’s unique vulnerabilities. These are wide-ranging and can include system or supply chain disruption or failures, distributed denial of service, hacking and ransomware attacks that may result in increased costs and lost revenue, according to Guy Carpenter colleagues Siobhan O’Brien, International Cyber Center of Excellence Leader, and Erica Davis, North America Cyber Center of Excellence Leader.
The timing and severity of these issues can be difficult to predict, and companies increasingly look to their insurance policies to cover business interruptions stemming from these events. Businesses would traditionally have relied on their property policies for this coverage; however, property insurers have been reluctant to address this financial, nonphysical loss and have been pushing their clients to purchase cyber-specific policies for these risks by excluding this coverage under their property policies.
The NotPetya/WannaCry attacks in 2017 changed the landscape for cyber risk awareness. These events demonstrated the speed at which cyber-attacks can spread and go beyond the traditional limitations of size, geography or industry sector, and highlighted the reliance on supply chain and the financial impact of disruption to these supply chains. Furthermore, the attack challenged the boundaries of traditional policies with payment of cyber-related claims sought under non-cyber policies. Following these events, (re)insurers and regulators around the world agreed that something needed to change in how silent cyber exposures are identified and addressed. Global insurers such as Allianz and AIG were amongst the first (re)insurers to make public statements to clarify their intent for policyholders.
AIG commentary: “American International Group Inc. will make all of its cyber insurance coverage explicit. The shift from silent cyber was designed not only to allow AIG to understand its own exposure better, but also to make it clearer to clients what is and is not covered under its cyber policies.”
Allianz commentary: “We will make it clear how cyber risks are covered in traditional policies and for which scenarios a dedicated cyber insurance solution is needed. The new strategy also responds to growing concern from regulators and rating agencies about cyber exposures in insurers’ portfolios.” (1)